How CarolinaMLS detects password sharing

By Debbie Wey
Vice President, CarolinaMLS Administration

Since 2008, CarolinaMLS has used an application called RISK to detect potential password sharing.  RISK collects and analyzes more than 30 pieces of data with every login for potential password sharing, and it scores all users with a RISK score.

We recently reactivated a feature in RISK that analyzes keystroke dynamics for each login, which caused an increase in the number of users with high RISK scores.

Risky behaviors include:

  • Frequent logins, e.g., 10 times in an hour
  • Simultaneous logins from separate locations, e.g., a login from Matthews and a login from Huntersville only 10 minutes apart
  • Different keystroke patterns, e.g., an expert typist vs. a novice
  • Logging in with an unusual number of devices, e.g., four desktop computers and four mobile devices

It is possible a user may demonstrate one or two of these behaviors.  However, it’s unlikely for a user to demonstrate ALL of these behaviors, and that’s when “remediation” kicks in.  Remediation is a series of steps used to resolve high RISK scores.  Each step includes an alert when you log into the system and an email prompting you to change your password.  Changing your password resolves most issues, but in extreme situations RISK requires a one-time password every time you log in.

If you receive an alert or email, here’s what you should do:

  1. Change your password to something unique and different. Not all password sharing is intentional, and it’s possible that someone else in your office has access to your password and is using it. Changing the password and not sharing it with anyone usually resolves the problem.
    • Do not share your password with anyone for any reason whatsoever – not your spouse, assistant, client or another agent.
    • If you have assistants or teammates who work in Matrix on your behalf, ensure they are logging in with their own credentials, and then follow the steps for identity sharing.
    • Third-party vendors are common culprits. Do not share your login and password with companies that work with MLS data for profit, even if they tell you it is okay and allowed. THEY’RE LYING!  They’d rather risk you being fined than pay the costs associated with accessing MLS data the legal way.  This page explains how third-party vendors can access MLS data.
  1. Make sure you have geolocation turned on. Turning on the location services can help with lowering high RISK scores.  These are the steps to follow for phones, tablets, Mac and Windows PCs.
  2. If you are logging in 10 times per hour, consider changing your behavior. Matrix allows up to one hour of inactivity before automatically logging you off.  You can leave your Matrix window open but minimized on your desktop while you are working in other applications.
  3. If you have tried all of these options and are still receiving RISK alerts and emails, contact CarolinaMLS to help resolve the issue. We can schedule a time for you to connect with our vendor to collect login samples to determine why your RISK score is high.

We do not rely solely upon RISK to issue password violations.  We use RISK to help identify potential password sharing and to provide supporting evidence when password sharing violations are reported to us or identified during delivery of customer service and technical support.

Password sharing carries a $1,000 fine for the first violation, a $3,000 fine for the second violation and expulsion from CarolinaMLS for a period of one year for the third violation. Reinstatement requires approval of the CarolinaMLS Board of Directors.